Your resume, protected.

Encryption

• At rest: AES-256 on Firestore and GCS, managed through Google Cloud KMS and Secret Manager. All customer data is encrypted before storage.
• In transit: TLS 1.3 on every edge; HSTS preload; certificate transparency monitoring. All API calls and data transfers are encrypted.
• Key management: GCP Secret Manager handles sensitive credentials with automatic rotation where supported.

Infrastructure security

• Cloud provider: Hosted on Google Cloud Platform (GCP), which maintains ISO 27001, SOC 1/2/3, PCI DSS Level 1, and HIPAA certifications.
• Regions: Primary region is GCP us-central1 (Iowa). Data residency options available for enterprise customers.
• Network security: Google Cloud Armor protects against common web exploits and DDoS attacks. VPC with private service access for database security.
• Backup strategy: Automated daily backups with point-in-time recovery for Firestore. Multi-region redundancy for critical GCS data.
• Disaster recovery: Multi-zone deployment for high availability. Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 1 hour.

Access controls

• Authentication: Firebase Auth (Google Identity Platform) for user authentication with multi-factor support. Passwords are never stored directly; we use secure identity tokens.
• Authorization: Least-privilege IAM roles for all backend services via GCP Service Accounts.
• Per-user isolation: Data is isolated via Firebase-authenticated scopes and user-scoped Firestore document paths. Cross-user reads are structurally impossible.
• No full-collection access: No service or user has full-collection read access to production databases. All access is scoped to specific documents.
• Zero long-lived credentials: No long-lived credentials in code or CI. Every GCP interaction uses short-lived tokens with automatic rotation.

AI provider security

• Primary provider: Google Vertex AI (Gemini) under an enterprise-grade zero-retention agreement. Your data is not logged, cached, or used for training the foundation models.
• Data sanitization: No third-party foundation model ever receives raw identifiers. Names, emails, and phone numbers are stripped before the AI call.
• EEOC data isolation: EEOC self-identification data is never sent to any AI provider. It remains isolated in our secure Firestore systems.

Monitoring and logging

• Security monitoring: Google Cloud Audit Logs for API activity logging with automated alerts for suspicious activity patterns.
• Error tracking: Sentry for error monitoring and crash reporting with data sanitization. No sensitive data in error logs.
• Performance monitoring: Cloud Monitoring and Cloud Trace for infrastructure metrics.
• Log retention: Security logs retained for 90 days. Audit logs retained for 7 years for compliance purposes.

Security practices

• Code review: All code changes undergo peer review before deployment. Security-focused reviews for sensitive changes.
• Dependency scanning: Automated scanning of dependencies for known vulnerabilities (CVEs) using tools like Dependabot and Snyk.
• Static analysis: Static application security testing (SAST) as part of CI/CD pipeline.
• Penetration testing: Planned annual third-party penetration testing. Continuous automated security scanning.
• Employee training: Security training for all employees. Secure coding training for developers.

Compliance

• SOC 2 Type I: Planned for Q3 2026. We are preparing for independent audit to cover security, availability, and confidentiality.
• GDPR: Data subject access, portability, and deletion implemented. Data Protection Officer available at dpo@jobeezy.com.
• CCPA / CPRA: Request portal at /legal/ccpa/. We do not sell personal information.
• DPA for B2B: Data Processing Addendum available at /legal/dpa/ for enterprise customers.
• EEOC compliance: Voluntary self-identification data handled in compliance with EEOC regulations. Audit trail maintained for 7 years.

Responsible disclosure

We run a private disclosure program for security researchers. Email security@jobeezy.com with details (PGP-encrypted preferred). We acknowledge within 24 hours and fix critical issues within 7 days. Public disclosure welcome after a fix ships.

PGP Key: security@jobeezy.com (key available on request)

Incident history

No security incidents disclosed to date. We will update this page within 72 hours of detection of any qualifying event in accordance with our incident response policy.

Third-party security assessments

• Independent audits: Planned annual independent security audits by third-party assessors.
• Penetration testing: Planned annual penetration testing by certified security firms.
• Vulnerability scanning: Continuous automated vulnerability scanning of production systems.

Contact security

For security inquiries or to report a potential vulnerability:

• Email: security@jobeezy.com
• PGP: Available on request for encrypted communications